[Owncloud] Question about security

Frank Karlitschek karlitschek at kde.org
Thu Aug 12 18:27:49 UTC 2010


On 11.08.2010, at 00:02, Pauleman (DerPaul) wrote:

> Hello all,
> 
> just for fun I tested to download a file directly from the data location 
> of owncloud. I was surprised that there was no protection of the data 
> directory and also of the backup directory. Is there any idea to prevent 
> the direct access?
> 
> Regards
> 
> Pauleman




Hi,

I think this is a very good point.
Having an unprotected document directory in your webdirectory is a bad idea.

I think we need some fancy logic for this problem.
ownCloud should check if the current document directory is in the documentroot and accessibly from the internet. If no -> no problem. If yes try to automatically put a .htaccess in the directory and check with a fopen http request if access is still possible. If no -> problem solved. If yes -> big security problem and do nothing till the user fixes this security hole.


Cheers
Frank




--
Frank Karlitschek
karlitschek at kde.org







More information about the Owncloud mailing list